CVE-2025-60739
Published: 25 November 2025
Summary
CVE-2025-60739 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ilevia Eve X1 Server Firmware. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CSRF vulnerability by requiring validation of inputs to the /bh_web_backend component, such as CSRF tokens or origin headers, to prevent forged requests leading to arbitrary code execution.
Protects session authenticity to ensure requests to the vulnerable endpoint originate from legitimate user sessions, blocking cross-site forgery attacks.
Remediates the specific CSRF flaw in Ilevia EVE X1 Server Firmware v4.7.18.0.eden and prior versions through timely patching or updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF and DOM-based XSS in public-facing web backend (/bh_web_backend.php) enable exploitation of the application (T1190) and JavaScript code execution (T1059.007) for information disclosure and arbitrary code execution.
NVD Description
Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component
Deeper analysisAI
CVE-2025-60739 is a Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware version v4.7.18.0.eden and prior, as well as Logic Version v6.00 - 2025_07_21. The flaw exists in the /bh_web_backend component and enables a remote attacker to execute arbitrary code. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is linked to CWEs-79, CWE-200, and CWE-352.
A remote attacker can exploit this vulnerability without authentication by tricking a user into performing an action via a malicious webpage or link, given the requirement for user interaction (UI:R). No privileges are needed (PR:N), and exploitation is straightforward over the network (AV:N) with low attack complexity (AC:L). Success grants high-impact confidentiality, integrity, and availability compromise, with scope expansion (S:C) allowing arbitrary code execution on the server.
Mitigation details and a proof-of-concept are available in the referenced GitHub repository at https://github.com/iSee857/ilevia-EVE-X1-Server-CSRF.
Details
- CWE(s)